Dockerfile

FROM alpine:3.21.0

RUN \
    # Update and install system applications
    apk add --update --no-cache \
        bind=9.18.32-r0 \
        bind-tools=9.18.32-r0 \
        libcap=2.71-r0 \
        python3=3.12.8-r1 \
        py3-pip=24.3.1-r0 \
        shadow=4.16.0-r1 \
        tini=0.19.0-r3 && \
    # Setup cache directory
    mkdir -p \
        /var/cache/bind \
        /var/log/named && \
    chmod -R 777 /var/cache/bind && \
    # Allow named to use privileged ports without root
    setcap 'cap_net_bind_service=+ep' /usr/sbin/named && \
    # Change named user's uid/gid
    groupmod -g 10001 named && \
    usermod -u 10000 named

# Copy LICENSE to container
COPY LICENSE /LICENSE

# Copy dns-config-watchdog to container
COPY dns-config-watchdog/main.py /opt/dns-config-watchdog/
COPY dns-config-watchdog/zones.json /opt/dns-config-watchdog/
COPY dns-config-watchdog/requirements.txt /opt/dns-config-watchdog/
COPY dns-config-watchdog/LICENSE /opt/dns-config-watchdog/

# Install `requirements.txt` for dns-config-watchdog
# hadolint ignore=SC1091
RUN \
    python3 -m venv /opt/dns-config-watchdog/.venv && \
    . /opt/dns-config-watchdog/.venv/bin/activate && \
    pip3 install --no-cache-dir --root-user-action=ignore -r /opt/dns-config-watchdog/requirements.txt

# Copy BIND9 configs to container
COPY bind /etc/bind/

# Copy entrypoint script to container
COPY entrypoint.sh /entrypoint.sh

# Copy HEALTHCHECK script to container
COPY healthcheck.sh /healthcheck.sh

# Set permissions on copied files
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
RUN \
    chmod 644 \
        /etc/bind/acl.blockednets \
        /etc/bind/acl.sponsornets \
        /etc/bind/db.0 \
        /etc/bind/db.127 \
        /etc/bind/db.255 \
        /etc/bind/db.empty \
        /etc/bind/db.local \
        /etc/bind/db.root \
        /etc/bind/named.conf \
        /etc/bind/named.conf.default-zones \
        /etc/bind/named.conf.options.template \
        /etc/bind/named.logging \
        /etc/bind/zones.rfc1918 && \
    crontab -l | { cat; echo "0 0 * * * curl -o \"/etc/bind/db.root\" -z \"/etc/bind/db.root\" \"https://www.internic.net/domain/named.root\" && \$DNS_RESTART"; } | crontab - && \
    chmod +x \
        /entrypoint.sh \
        /healthcheck.sh && \
    chown -R named:named \
        /etc/bind/ \
        /var/cache/bind/ \
        /var/log/named \
        /var/run/named/ \
        /opt/dns-config-watchdog/

# Expose UDP/TCP port 53
EXPOSE 53/udp 53/tcp

USER named

# Start entrypoint script
ENTRYPOINT ["/sbin/tini", "--", "/entrypoint.sh", "/usr/sbin/named"]

# Add HEALTHCHECK directive
HEALTHCHECK CMD [ "/healthcheck.sh" ]

# Set default command for container
CMD ["-g", "-c", "/etc/bind/named.conf"]